On Mon, 25 Mar 2002 16:20:40 PST, Casey Schaufler said: > Yes, the evaluation process is a royal pain in the bum, > but that's mostly because so much software is developed > without any thought to either "Real World" or "Contrived > Circumstances" security. No documentation, no thought to > how it will work with other software, no consideration of > context. But that hasn't changed from the UNIX world. As an additional "what we need in the trenches" datapoint - I've personally *never* actually had to spec "must have a DOD C2 security rating" on a system RPQ. On the other hand, I've had *plenty* of systems where "must have all the features" or "designed to meet" has been a requirement. (OK - maybe for some of those systems "designed for C2" was only a 95% fit to what we *really* wanted - but it's a lot easier to send stuff out for bid that way just because it gets everybody on the same page faster...) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Mon Mar 25 2002 - 17:36:46 PST